The malware employs a sophisticated multi-stage infection process, first loading a Base64-encoded PE file into memory through Assembly.Load() and Invoke() methods, avoiding writing the malicious payload to disk where it might be detected by security solutions. Cybersecurity experts have detected a sophisticated campaign targeting energy sector companies, as the threat actor known as Sapphire Werewolf deploys an enhanced version of the Amethyst stealer malware. Upon execution, this initial loader unpacks and deploys the main Amethyst stealer payload, which has been protected using .NET Reactor obfuscation technology to evade detection by common security tools. The malware further extends its evasion capabilities through WMI queries examining hardware characteristics, including processor manufacturer details, motherboard information, BIOS serial numbers, and disk model data. The Amethyst stealer’s primary function is credential theft, targeting authentication data from multiple applications including Telegram and various browsers such as Chrome, Opera, Yandex, Brave, and Edge. Additional functionality enables the malware to extract SSH configuration files, remote desktop settings, and VPN client credentials, providing attackers with multiple vectors for maintaining persistent access to compromised networks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. If virtualization is detected, the malware alters its behavior to avoid revealing its full capabilities to security researchers. Once credentials are harvested, the malware stages the data locally before exfiltrating it through Telegram channels, providing attackers with a convenient and difficult-to-block command and control infrastructure. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Additionally, Amethyst implements Triple DES symmetric encryption for string obfuscation, applying encryption to nearly every string parameter used in function calls rather than encrypting entire code blocks. This technique significantly complicates static analysis by security tools, which shows a code fragment demonstrating the decryption process in action. The campaign represents a significant evolution in the group’s capabilities, featuring advanced evasion techniques and expanded data exfiltration functionality.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 12 Apr 2025 07:25:19 +0000